As many businesses navigate a deployed
workforce, this year's World Password Day provides businesses and employees
with the opportunity to evaluate and improve their cybersecurity, beginning
with a simple, yet often overlooked practice: enabling strong passwords.
Passwords are required to access multiple
tools and services that are required to keep a business running, from logging
into a laptop or desktop to email accounts and vendor profiles. By juggling so
many different logins, users often fall into poor habits, such as repeating
passwords, using common phrases and failing to update their passwords on a
regular basis. This World Password Day, experts from nine tech companies have
provided their tips and strategies to help secure credentials and protect businesses
from the cyber attacks that have risen in recent months.
Bryan Becker, product manager and researcher, WhiteHat Security:
"The recent credential stuffing campaigns against the
World Health Organization and Gates Foundation and breach of children's site
Webkinz reinforce the importance of setting a different username/password
combination for every application you utilize as an end user to protect your
own information and your employer's. It is essential to practice security
mindedness as you browse the web to lessen the impact data breaches will have
on you and your organization once they occur. Some other tips you can practice
to secure yourself online are:
- Utilize multi-factor
authentication on any application that supports it. This can prevent an
attacker from gaining access to your account even if they determine your
username/password combination
- Only log into sites
that send your credentials and other sensitive information over SSL. A quick
way to determine this is if the URL you are viewing is prefaced with ‘https://'
- Whenever you're
checking your email in a web browser and are sent messages with hyperlinks,
hover your mouse over the links and verify where the link is really going to
take you to by looking at the URL that appears on the lower left corner of the
screen. It's possible the blue highlighted URL written in the email body is
actually a disguised malicious link.
There's no better time to reinforce taking these
precautions than World Password Day, and I hope everyone uses this day to
promote better password habits to their employees, colleagues and even family
members. Passwords are essential to keep our digital identities private, and we
must do everything we can to make sure they don't fall into the wrong hands."
Jeff
Hussey, CEO, Tempered
"It's a common misconception that having a
password that is lengthy with complex requirements will be enough to keep your
credentials secure. However a recent study found that 74% of IT decision
makers' organizations were breached in the past via privileged access
credential abuse.
For years, the traditional tools to prevent
credential-based attacks have been firewalls, password policy, URL filtering,
and 2-factor authentication. These technologies continue to play a role, but
they remain susceptible to attacks and are challenging to manage at scale.
On World Password Day, it's important to
understand that there's now another option: invisibility. In simple terms,
hackers can't hack what they can't see. So, instead of the costly and complex
process of installing even more locks on the doors to your network, you can now
make your network invisible to these bad actors. You start with cryptographic
identities and zero-trust at the network level, along with multi-factor
authentication (MFA) to decide who gets to see which endpoints. Then it's no
longer a matter of determining which vulnerable endpoints need to be secured,
because no endpoints are visible, much less vulnerable to hackers.
It's called Airwall, and it is the ideal
solution for companies that need to protect their valuable data and critical
for the new world of work-from-home employees."
Mihir
Shah, CEO, Nexsan, a StorCentric company
"For individuals seeking to protect their
personal information and secure their online accounts, a strong password is a
critical first line of defense. But, if you are a commercial, nonprofit or
government organization, a password, regardless of how unique or how often it
is updated, will barely scratch the IT security surface. The only true
protection for an organization's high value data is to aggressively lock it
down using a hardened storage solution that has been engineered with the
understanding that attempts at corruption or deletion can come from anyone,
anywhere and at any time. The solution must be capable of recognizing and
rejecting every such attempt, regardless of whether it's from a virus,
ransomware, spyware, user mistakes, software error - or a new threat that
hasn't even been discovered yet."
JG
Heithcock, GM, Retrospect, a StorCentric company
"World Password Day reminds us of just how
critical it is to take every precaution to protect ourselves and our data. And
certainly, a unique password is a great place to start, but, you can't stop
there. Cyberthreats like ransomware are becoming increasingly pervasive,
affecting homes and businesses alike. However, by proactively employing a data
protection strategy that includes an effective and efficient backup solution,
you will be able to thwart cybercriminals and ensure your data remains private,
secure, accessible and recoverable."
Jay
Ryerse, VP, Cybersecurity Initiatives, ConnectWise
"Passwords are often associated with
inconvenience -- and for good reason. Employees and consumers alike are
overwhelmed by the thought of remembering login details for 100-200 websites
and making them difficult for bad actors to guess. That's why this World
Password Day, it's important to look at the practical solutions to this
impractical problem, accelerated by more and more aspects of our lives going
online.
To ensure your personal and work-related
accounts, as well as the sensitive data residing within them, remain secure:
- Use a password manager...but do
your research. Some have been breached in the past, and you want to make sure
your choice is reliable, safe and up to date
- Use a different, complex
password for every website.This reduces your risk of credential stuffing
attacks, where hackers take login details harvested from breached websites to
log into users' accounts on other, unaffected sites. A password manager makes
this process much easier as it will create lengthy, unique passwords for each
site
- Remember that the longer the
password, the longer it takes for digital adversaries to crack it,
thus deterring successful brute force attacks
- Avoid overused practices like
adding an exclamation point at the end, including phrases associated with
family or pets, or using incremental numbers. Hackers use these well-known
patterns to guess your password, and you'll just make their jobs easier
- Give only fake answers to
security questions that would help you recover your password, so hackers cannot
mine that information from snooping on you online. One example would be your
mother's maiden name. With some social media searching, this would be easy to
identify, so choose a made up name only you would know
- Implement multi-factor
authentication wherever available to create extra hurdles for cybercriminals
There will always be varying degrees of
account compromise. If someone hacked my LinkedIn, they might post something
embarrassing, but it's easy to change the password and regain control. However,
if they broke into my online bank account or used my credit card on Amazon to
rack up charges, we'd be looking at significant damage. Wouldn't it be better
to prevent all of these incidents, though? Implementing these best practices
across your online presence will do just that--and protect both you and your
company on an ongoing basis."
Grant McCormick, CIO, Exabeam
"For World Password Day 2020, we'll look at some of the most prevalent
password-related risks associated with the sudden remote work transition.
First, we've seen multiple credential stuffing campaigns -- where bad actors
use passwords from previously breached sites to break into accounts on
unaffected sites -- initiated against organizations crucial to both working
from home and handling the global pandemic. In April, cybercriminals put large
numbers of account information belonging to both Zoom users and employees of
the WHO, CDC and Gates Foundation, up for sale online, likely gathered from
other breaches. This is particularly dangerous for individuals and
organizations because these credentials could be used to access corporate
accounts then move laterally through the network to cause deeper damage.
Technology consumers, that happen to be physically restricted by the
COVID-19 lockdown, should bring their own lockdown
to password management: by establishing different passwords for all of their
accounts, immediately changing passwords on sites that have been breached and
using multi-factor authentication wherever it is available.
Hostile cyber actors are not sheltering in place -- very much the
contrary. To remediate incidents involving user credentials and respond to
adversaries, organizations must move fast and consider an approach that is
closely aligned with monitoring user behavior - to provide the necessary
visibility needed to restore trust, and react in real time, to protect user
accounts. This should include the ability to detect, using behavioral
characteristics, when abnormal events have occurred.
Second, Zoombombing and eavesdropping threats have risen in
prevalence. Zoom launched into action to upgrade its encryption standards, and many organizations using the
tool moved quickly to ensure password and host setting best practices. For
companies, accessing Zoom accounts in concert with SSO / identity access
management (IAM) platforms is critical. We also recommend making passwords a
default requirement for all Zoom meetings, requiring all employees add passwords
to existing meetings and ensuring each meeting owner changes screenshare
settings to ‘host only.' All organizations should also utilize end-to-end
encryption and continuously update their video conferencing clients and broader
endpoint software stack. This advice applies to all B2B video conferencing
solutions.
While most remain hopeful about therapies and even a cure for
COVID-19, credential-based attacks and digital privacy issues will remain long
after the pandemic. Thus, these practices should remain top of mind year-round
in 2020 and beyond."
Johan Pellicaan, VP & Managing Director
EMEA, Scale Computing
"Password
protection is the frontline of security processes for any business, and
employees are the first line of defense for any organization implementing an
all-encompassing cybersecurity strategy. With the potential for threats such as
phishing emails and ransomware attacks ever-rising, especially in the current
remote working landscape, it's never been more important to get each element of
this cybersecurity strategy right.
Precautions
like advanced passwords and multi-factor authentication are important cogs in a
truly secure remote working operation, as are things like a VDI deployment
running on a hyperconverged edge computing solution. With VDI technology in
place, end users can log in securely to any machine on a network and then
access their emails, files and applications as usual. They aren't limited to PC
terminals -- they simply load their personal desktop or applications on their
mobile phone or tablet, significantly boosting workforce agility.
Furthermore,
by remotely monitoring user profiles - regardless of location - IT teams can
reduce security risks by identifying potentially suspicious activity and
logging out inactive users. A VDI deployment can also offer a cost-effective
and secure method to extend network access beyond the office walls to provide
remote access to employees wherever they are located.
The majority
of businesses find that managing BYODs brings a considerable number of security
and admin challenges. However, by integrating BYODs onto an officially
sanctioned VDI environment, employee mobiles and tablets can be more
effectively protected from potential security risks, so information is better
secured from accidental disclosure and loss."
Yev Pusin, Director of Strategy, Backblaze
"This
World Password Day reminds us that while backing up is key to protecting your
data, the simple task of protecting your computer, systems, and online accounts
with strong passwords is an effective measure to securing your data as well. A
strong password strategy means using best practices like different passwords
for every service, changing passwords frequently, remembering that 123456 is
never a good password, and using a secure password manager to keep everything
sorted.
A strong
password is a good start, but you can really lock your accounts down by adding
two-factor authentication to any accounts that have the option (and remember to
create backup codes)!
These simple
steps could halt cyberattacks such as credential stuffing or hacking of
personal details. But ultimately, using passwords effectively requires a
disciplined approach that always stays one step ahead of cybercriminals. Stay
safe out there!"
Wieger van der Muelen, Global IT-Security
Manager / CISO at Leaseweb Global
"As the
COVID-19 crisis continues, so too does the spike in phishing scams and spam
attacks on remote workers as hackers relentlessly use it to their advantage.
Not only are workers having to adapt to working from home full-time, but the IT
teams of the organisations they belong to must contend with adapting current IT
systems to fit with a home environment. It is at times like these - more so
than usual - that it is vitally important that simple security measures are
followed. Simple yet effective steps like ensuring passwords are suitably
protected spring to mind. Regularly updating passwords, having different ones
for different applications stored in a password manager, and two-factor
authentication are all practical steps towards making it much more difficult
for hackers to infiltrate information. While the chaos around COVID-19 ensues,
with all of its social and financial pressures, the last thing a company wants
is to fall prey to a ransomware or phishing attack. By acting smart now, we can
all avoid that risk."
##